What personal data does Questionmark store?
In order to ensure compliance with data protection laws across the world, it's helpful to understand what personal data—information about an identifiable individual—is stored in Questionmark. The amount and type of personal data depends on customer behavior, e.g., how Questionmark is configured and what questions are asked of participants.
This Knowledge Base article lists the personal information automatically captured by Questionmark software and provides some indication as to what other information might be stored. This article focuses on the personal information captured about participants (users who take assessments) but also covers information captured about administrators (users who use Questionmark software to create and manage users, create assessments, run reports on assessment results, etc.).
The article contains the following sections:
- Information captured about participants
- Information captured about participants when taking an assessments
- Information captured during online proctoring
- Information captured about administrators
All participants within Questionmark are referenced by a unique participant identifier. Different organizations use different mechanisms as this identifier—common examples include a participant's email address or a unique employee, candidate, or student ID.
The following information is also usually stored for a participant:
- Their email address
- The language in which the participant takes assessments
- Whether the participant is blocked in Questionmark or not (e.g., from too many consecutive unsuccessful login attempts)
- The group(s) with which are associated
- Their password
- The date and time the user was created
- The date and time user last logged in
- The participant's role (usually just "Participant", but other roles can also be assigned to participants)
Questionmark allows you to enter further personal information about participants, but this is optional. This information can include:
- The participant's first, middle and last name
- An alternate name and title for the participant
- The gender of the participant
- The participant's date of birth
- Organizational information about the participant, including the name of their organization and department within it
- The primary and secondary address of the participant
- Other details that the customer chooses to collect about the participant, e.g., demographic data
When someone takes an assessment in Questionmark software, the following information about them is captured:
- General information (as listed in the Information captured about participants section)
- The assessment name and other details about the assessment and questions delivered
- The schedule name and group name used to schedule the assessment (both text fields defined by the customer)
- The IP address of the person taking the assessment
- The user agent string of browser, which gives details of which browser the participant is using and some limited information on the device used
- The language in which the browser is running
- The date and time the assessment started
- The date and time each question was answered (in some cases, also the time taken to review and answer each question)
- The answer given by the participant to each question, along with any comment left by the participant, if allowed
- The feedback set by the assessment author given to the participant
- Information derived by Questionmark from the answers including the score and outcome for each question and the score and outcome (including pass/fail) for the assessment
If Questionmark is integrated with a third-party system such as an LMS (Learning Management System), then Questionmark may also capture personal information sent by the third-party system when initiating the assessment, including first name, last name, and email address if supplied as well as further information if the third-party system chooses to pass it along.
If called via single sign-on through SAML, Questionmark may also record some information as configured by the customer received via SAML. For information about configuring SAML to capture demographic data, refer to the SSO Configuration section of the Questionmark User Guide.
Question answers can include further personal information, e.g., if you use a question in an assessment to ask someone for demographic or personal information, or if you survey someone on their beliefs or attitudes or opinions. It's also possible for participants to type in personal information into any question which allow the entry of text.
If you're delivering assessments with Questionmark's online proctoring, then additional personal information is captured. The information captured is defined by the assessment sponsor but can include:
- Copies of government-issued ID cards or other identification
- Video and/or audio images of the participant taking the assessment
- Images of the screen during the assessment
- Timing of the proctor interactions with the participant
- Proctor reports on potential incidents
Administrators include monitors, proctors, observers, authors, and reporters. Administrators are usually identified by email address and always have a role which defines what they can do in Questionmark. It's also possible to record the same general information about an administrator as with participants.
In order to provide a legally defensible audit trail, actions by administrators are usually recorded with the action taken and the date and time that it happened, e.g., if an administrator creates or edits a question, that the administrator edited the question and the date and time the question was edited is recorded.